feat: add permission guards to credit note and vendor credit controllers

Add AuthorizationGuard and PermissionGuard to the following controllers: - CreditNoteRefundsController - CreditNotesApplyInvoiceController - VendorCreditApplyBillsController - VendorCreditsRefundController Add @RequirePermission decorators with appropriate actions: - View action for GET endpoints - Edit action for POST/DELETE endpoints - Refund action for refund-related operations Also fixes AuthorizationGuard to use userId from clsService instead of user.id from request for consistency with the abilities cache.
2026-02-25 00:59:50 +00:00 · 2026-02-16 20:04:48 +02:00
parent 174aec78ca
commit d5402b6a9b
5 changed files with 80 additions and 6 deletions
--- a/packages/server/src/modules/VendorCreditsApplyBills/VendorCreditApplyBills.controller.ts
+++ b/packages/server/src/modules/VendorCreditsApplyBills/VendorCreditApplyBills.controller.ts
@@ -1,16 +1,33 @@
-import { Body, Controller, Delete, Get, Param, Post } from '@nestjs/common';
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Param,
+  Post,
+  UseGuards,
+} from '@nestjs/common';
 import { VendorCreditApplyBillsApplicationService } from './VendorCreditApplyBillsApplication.service';
 import { IVendorCreditApplyToInvoicesDTO } from './types/VendorCreditApplyBills.types';
 import { ApiTags } from '@nestjs/swagger';
+import { ApiCommonHeaders } from '@/common/decorators/ApiCommonHeaders';
+import { RequirePermission } from '@/modules/Roles/RequirePermission.decorator';
+import { PermissionGuard } from '@/modules/Roles/Permission.guard';
+import { AuthorizationGuard } from '@/modules/Roles/Authorization.guard';
+import { AbilitySubject } from '@/modules/Roles/Roles.types';
+import { VendorCreditAction } from '../VendorCredit/types/VendorCredit.types';

@Controller('vendor-credits')
@ApiTags('Vendor Credits Apply Bills')
+@ApiCommonHeaders()
+@UseGuards(AuthorizationGuard, PermissionGuard)
 export class VendorCreditApplyBillsController {
  constructor(
    private readonly vendorCreditApplyBillsApplication: VendorCreditApplyBillsApplicationService,
  ) {}

  @Get(':vendorCreditId/bills-to-apply')
+  @RequirePermission(VendorCreditAction.View, AbilitySubject.VendorCredit)
  async getVendorCreditToApplyBills(
    @Param('vendorCreditId') vendorCreditId: number,
  ) {
@@ -20,6 +37,7 @@ export class VendorCreditApplyBillsController {
  }

  @Post(':vendorCreditId/apply-to-bills')
+  @RequirePermission(VendorCreditAction.Edit, AbilitySubject.VendorCredit)
  async applyVendorCreditToBills(
    @Param('vendorCreditId') vendorCreditId: number,
    @Body() applyCreditToBillsDTO: IVendorCreditApplyToInvoicesDTO,
@@ -31,6 +49,7 @@ export class VendorCreditApplyBillsController {
  }

  @Delete('applied-bills/:vendorCreditAppliedBillId')
+  @RequirePermission(VendorCreditAction.Edit, AbilitySubject.VendorCredit)
  async deleteAppliedBillToVendorCredit(
    @Param('vendorCreditAppliedBillId') vendorCreditAppliedBillId: number,
  ) {
@@ -40,6 +59,7 @@ export class VendorCreditApplyBillsController {
  }

  @Get(':vendorCreditId/applied-bills')
+  @RequirePermission(VendorCreditAction.View, AbilitySubject.VendorCredit)
  async getAppliedBillsToVendorCredit(
    @Param('vendorCreditId') vendorCreditId: number,
  ) {